Having just read the specs now, it appears that for this to work you cannot have inline scripts. From looking at django-csp, it appears there is an option to re-enable inline scripts, but that would appear to seriously limit the usefulness of the protection.

The disabling of inline scripts is problematic for us in a number of ways:

Various places in the admin use inline scripts

Lots of Django projects will use the pattern of using {% url %} inside an inline javascript block in a template, even if the bulk of the javascript is in a separate file. There have been ​discussions recently about how to improve this, but no conclusion yet.

If a CSP middleware is not compatible with either our killer app or many third party apps, I'm afraid I don't share the enthusiasm of the reporter! It isn't going to get much use in Django, and there wouldn't be much point adding it. I should also note that due to the autoescaping feature of our template language, we have a pretty good record with XSS. (Not that additional security wouldn't be welcome, I'm just pointing out that it isn't a special priority for us).

To mark 'Accepted' would really imply that we are going to do something about the inline HTML in the admin and these other problems, which is unlikely in all honesty, so I'm going to mark as Someday/Maybe instead, although I'm also inclined towards Wontfix, because we need some compelling reason why this should be in core rather than as an external app like django-csp.

Well it would be a real nice to have. I sent an email reply but it was blocked :/
Django hasn't been 'xss free' and a new template tag could be added to transform inline js into js included and served from a given location(that the CSP policy allows).

a new template tag could be added to transform inline js into js included and served from a given location(that the CSP policy allows).

Sounds wonderful! Patch welcome :-)

(To explain what may not come over well on Trac: I'm implying that there are multiple significant problems with this suggestion that would need to be solved before it was practical. A solution to them isn't necessarily impossible, but will at least require quite a lot of work. What is written above is only one step away from saying "A new 'magic wand' feature could be added to Django that makes the problems with using CSP disappear, and then it would be sensible to add it". Indeed it would be...).

I sent an email reply but it was blocked :/

I don't know what you mean by an email reply - all emails sent from Trac are from the 'noreply@…' address.

Now that CSP is much closer to being finalized, I would personally like to see this as part of Django core. We already protect against XSS, CSRF, and clickjacking; CSP fits right in with these features.

The work which can be done now (before the spec is finalized) mainly involves removing inline scripting and the mixing of styling and markup in the HTML templates we ship. This makes sense from the perspectives of both security and best practices. This would be a really good task for a group people to tackle during a sprint. Once the spec is finalized, we can work to integrate django-csp more closely, to the point that it makes sense to pull into core.

Even if we can't spend the time to really lock down the admin (and we may not, given our stance that the admin tends to be for trusted users), I think it makes sense to ship a CSP implementation with Django, so that projects can use a canonical, well tested, carefully implemented solution. Security features are hard to get right, and it makes sense to bless one and concentrate effort, rather than waiting to see which one wins.

Thanks for that patch. In general, I think it is important that we document well how to change projects to be CSP-compatible. The easier we make this, the more projects will use CSP, the safer people will be. A few quick notes:

I agree with PaulM that we could accept having the admin not CSP-compatible. However, we should very clearly document that CSP currently breaks with the admin. If I remember correctly, mozilla's django-csp allows one to add excluded paths, so that one can have both CSP and the admin enabled. That does reduce effectiveness, of course, but is better than no CSP.

With in-line javascript no longer allowed, it would be useful to point out <script type="application/json"></script> to people, which if my memory serves me right makes it easy to include a bit of json in your templates without violating CSP. Not 100% sure here though.

That can also help for the {% url %} problem described in comment:2, but perhaps there are other suggestions we can make.

This also deserves a place in the 1.8 release notes and in the security documentation (we have a specific page for that).

Current pull request does not enable a Content-Security-Policy by default, because we can make no assumptions about the implementation details of other people's code. So the admin will stay fully functional unless you specify a policy which is too strict for the admin. However I agree that it would be nice to also provide a default policy for the admin (as strict as currently possible), which should be configurable for people that want to allow more (i.e. load external scripts).

Comment:2 can be easily solved by putting url's and other data needed by Javascript in data attributes instead.

I'll add something to the release notes in my update to the pull request.

If the django-csp should be included in Django. I suggest to modify it to allow enforcing and monitoring mode alongside, as noted in CSP specification itself. One set of rules may be enforced and different set of rules may be reported.